[Plugin] Disable Security Mitigations


Recommended Posts

@Squid is right. It's a nicer two-fer. Since we are in a world of chips right now that are not immune to these attacks at the HW level, we are getting updates in two channels right now. BIOS level microcode updates, Windows patch level updates, linux kernel level patches and microcode updates. etc.... Okay so more than two channels 🙂 (It's a mess is the easy way).

 

With that, only some vulnerabilities are addressed at the BIOS level with microcode. Others are being handled by patches and updates. To FULLY disable it all, would require not only staying on an older un-patched BIOS (for some, they may have no option as MB vendors and Intel are only retrofitting but so far back), but also applying these mitigations. I don't really recommend staying on an old BIOS as other features come in newer BIOS versions, like AGESA updates and CPU compatibility for newer Chips on older chipsets. As noted in the plugin, there are still a good amount of mitigations we can disable at the kernel level, and users are seeing perf gains in the VM space.

 

As new CPU's are patched at the hardware level, this will be even more confusing since we will have microcode in BIOS updates that apply only to certain CPU's, but not other ones, and then patches at the OS level that will seemingly apply to everyone since we all pay the price at the OS level.

Edited by cybrnook
Link to comment
6 hours ago, jbartlett said:

Disabling the patches gave me a 2.4% boost (5 tests averaged) on a Threadripper 2990WX using Passmark's CPU benchmark only testing against a single numa node in a Win 10 VM.

Thanks for the input. So, in your case for one, you are an AMD system not Intel. So your platform isn't as heavily hit as say my 2011v3 based Intel systems, since Intel is really behind the ball on these patches.

 

As well, I don't want the impression that disabling these is a magic +%30 performance boost across the board on all benchmark suites, that's absolutely not the case. But what we can see, like from @zoggy 's EXCELLENT pre/post test case on an Intel based system, he see's perf boosts across the board, and up to %80 improvement in context switching (almost at the bottom of the page): https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92

 

So the benefits are real, if your use cases are in alignment, and are Intel based. Not to say though that disabling the overhead on an AMD system is not fruitful as well, especially on the OS level. Just don't expect an even +%30 across the board, all platforms, etc....

 

With that said, I look forward to maybe bouncing some ideas off you when I get my 2970WX system up and running. It's all here, just no time to actually build it out 🙂 Plus the fact we have been battling SLES scheduling issues on IBM Power at work, and  it's issues that we faced on incorrect affinity scheduling/assignments to non-optimal numa nodes.... I am taking a little time before hopping right back into that 🙂

Edited by cybrnook
Link to comment
36 minutes ago, cybrnook said:

So the benefits are real, if your use cases are in alignment, and are Intel based. Just don't expect an even +%30 across the board, all platforms, etc....

Honestly, getting 2 or 3% on average is already a lot in my book and enough to bother. People overclock and sometimes stress their components a lot for barely more than that. Getting more than that in some specific scenarios is just a nice bonus.

Link to comment
  • 2 weeks later...
  • 1 month later...
On 6/2/2019 at 3:03 PM, Squid said:

My Settings Tab is getting too full ;)  IE: I don't know.  Just where I initially thought it would go.  Initially I was going to stick it next to Syslinux Configuration under Flash Settings, but since I can never easily remember where exactly syslinux settings is in the first place, I figured that was a pointless place to put it.

I've often thought that the Tools tab is where most plugins should be. Most of mine are tools/utilities, not settings. 

Link to comment
  • 2 months later...

I am running 6.8-RC4, installed the plugin, clicked disabled mitigations, rebooted, and still the plugin says mitigations are enabled.... Anything I am doing wrong?

image.png.93e07915824b26b7e424a3900dc55197.png

 

Could there be issues with all the other stuff I have in the configuration?

image.thumb.png.93e765afb155f01b0b7a866aa1f95c5a.png

 

Also, here is my Server's info, pretty old BIOS, shouldn't be patched for all vulnerabilities:

image.png.9bad3a5dd241850275db4302118fda6a.png

Edited by huntastikus
Added Mobo info
Link to comment

It says that it's currently enabled.  And on a reboot, it's still saying enabled?  (And you are leaving the system to boot into GUI mode)  Could be a bug in the detection because you've got 2 append lines  (everything can go onto a single line), which may also mess up the boot and it's only doing the second line, not the first. (out of my control)

Edited by Squid
Link to comment
13 hours ago, huntastikus said:

I am also running Unraid Nvidia (provided by the great peeps from linux server), do you think it would be a thing they may have included in the image?

Actually, here's the easy way to tell if the two append lines are messing up the boot.  What's the output of

cat /proc/cmdline

 

Link to comment
11 hours ago, Squid said:

It says that it's currently enabled.  And on a reboot, it's still saying enabled?  (And you are leaving the system to boot into GUI mode)  Could be a bug in the detection because you've got 2 append lines  (everything can go onto a single line), which may also mess up the boot and it's only doing the second line, not the first. (out of my control)

Alas, you were correct, I combined both lines into 1, mitigations are off now, and all my parameters are working now. Thank you very much

Link to comment
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.